In additional to firewall rulesets, the /proc filesystem offers some significant enhancements to your network security settings. Unfortunately, most of us are unaware of anything beyond the vague rumors and advice we've heard about this beast. In this article, we'll review some of the basic essentials of the /proc/sys/net/ipv4 filesystem necessary to add to the overall network security of your Linux server.
Perhaps one of the more frequently neglected areas of firewall configuration involves the /proc filesystem. The pseudo file structure within proc allows you to interface with the internal data structures in the kernel, either obtaining information about the system or changing specific settings. Some of the parts of /proc are read-only, while others can be modified. It is often referred to as a virtual filesystem in that it doesn't take up any actual hard drive space; files are created only on demand when you access them. In this article, we will be focusing specifically on /proc/sys/net/ipv4.
In order to benefit from the use of the /proc filesystem, you'll need to enable two settings when building your kernel. CONFIG_PROC_FS is the setting that allows you to access and view the /proc filesystem, and CONFIG_SYSCTL is the bit that actually allows you to modify /proc entries without requiring a reboot of the system or a recompile of the kernel. Settings are only available at boot time after the /proc file system has been mounted.
Ping scanning is typically used to determine which hosts on a network are up. Typically this is done by sending ICMP ECHO request packets to the target host. This is seemingly innocent behavior, however often network administrators will block such traffic to increase their obscurity. The choices involve blocking ICMP ECHO requests to broadcast/multicast addresses and directly to the host itself. The respective commands to disable protection are:
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
ICMP redirect messages can also be a pain. If your box is not acting as a router, you'll probably want to disable them:
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
Sometimes you will come across routers that send out invalid responses to broadcast frames. This is a violation of RFC 1122, "Requirements for Internet Hosts -- Communication Layers". As a result, these events are logged by the kernel. To avoid filling up your logfile with unnecessary clutter, you can tell the kernel not to issue these warnings:
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
Ironically, IP forwarding of packets between interfaces is enabled by default on many systems in their startup scripts. If you're not intending for your box to forward traffic between interfaces, or if you only have a single interface, it would probably be a good idea to disable forwarding. Note that altering this value resets all configuration parameters to their default values; specifically, RFC1122 for hosts and RFC1812 for routers. As a result, you'll want to modify this one before all other /proc settings.
if [ -r /proc/sys/net/ipv4/ip_forward ]; then
echo "Disabling IP forwarding"
echo "0" > /proc/sys/net/ipv4/ip_forward
fi
If instead you decide to enable forwarding, you will also be able to modify the rp_filter setting; something which is often misunderstood by network administrators. The rp_filter can reject incoming packets if their source address doesn't match the network interface that they're arriving on, which helps to prevent IP spoofing. Turning this on, however, has its consequences: If your host has several IP addresses on different interfaces, or if your single interface has multiple IP addresses on it, you'll find that your kernel may end up rejecting valid traffic. It's also important to note that even if you do not enable the rp_filter, protection against broadcast spoofing is always on. Also, the protection it provides is only against spoofed internal addresses; external addresses can still be spoofed.. By default, it is disabled. To enable it, run the following:
if [ -r /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo "Enabling rp_filter"
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
fi
You may have also noticed the "all" subdirectory in this last example.
In /proc/sys/net/ipv4/conf
there is one subdirectory for each interface
on your system along with one directory called "all". Changing specific
interface directories only affects that specific interface, while changes made
to the "all" directory affects all interfaces on the system.
If you have compiled your kernel with CONFIG_SYNCOOKIES, you will be able
to optionally turn on or off protection against SYN flood attacks. Note
the emphasis, as compiling the kernel with this value does not enable it by
default. It works by sending out 'syncookies' when the syn backlog queue of
a socket overflows. What is often misunderstood is that socket backlogging is
not supported in newer operating systems, which means that your error messages
may not be correctly received by the offending system. Also, if you see synflood
warnings in your logs, make sure they are not the result of a heavily loaded
server before enabling this setting. They can also cause connection problems
for other hosts attempting to reach you. However, if you do want to enable this
setting, perform the following:
if [ -r /proc/sys/net/ipv4/tcp_syncookies ]; then
echo "Enabling tcp_syncookies"
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
fi
Normally, a host has no control over the route any particular packet takes beyond its first hop. It is up to the other hosts on the network to complete the delivery. IP Source Routing (SRR) is a method of specifying the exact path that a packet should take among the other hosts to get to its destination. This is generally a bad idea for the security conscious, as someone could direct packets to you through a trusted interface and effectively bypass your security in some cases. A good example is traffic, such as SSH or telnet, that is blocked on one interface might arrive on another of your host's interfaces if source routing is used, which you might not have anticipated in your firewall settings. You'll probably want to disable this setting with:
if [ -r /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
echo "Disabling source routing"
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
fi
Packets that have source addresses with no known route are referred to as "martians". For example, if you have two different subnets plugged into the same hub, the routers on each end will see each other as martians. To log such packets to the kernel log, which should never show up in the first place, you'll need to issue:
if [ -r /proc/sys/net/ipv4/conf/all/log_martians
]; then
echo "Enabling logging of martians"
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
fi
For more information regarding the /proc filesystem, you may want to refer to the documentation that comes with the Linux kernel source. Of specific help is Documentation/filesystems/proc.txt by Bowden, Bauer & Nerin. Additionally, you can refer to Documentation/networking/ip-sysctl.txt by Kuznetsov & Savola.